Online banking security
I have to confess I still use a Windows box for some things that require security of financial data that I wouldn't feel entirely happy about entering using Linux. I would dearly love to free myself from this dependency and ditch 'doze altogether, but I do have the perception that the Win OS is more secure for bank transactions and whatnot, simply because everything's done for me provided I let the auto-updates install as soon as they come available and I run Kaspersky or whatever to keep the machine clear of malware. To harden a Linux distribution to the same extent would require commitment and no small amount of expertise, would it not? Even notwithstanding that there are far more nasties out there looking for chinks in Windows armor than there are for Linux. How often is it that secure data gets compromised from a Linux system? Anyone experienced this?
Personally I feel the opposite; hate using MS for banking.
General advice either way:
1. use a dedicated (minimal) env (bare metal or vm) only for banking
2. firefox with following add-ons/settings
turn off auto accept images (allow by exception)
turn off auto accept cookies (allow by exception)
type in website names by hand from a reputable src; then bookmark and stick to those bookmarks
3. never use env for anything else
4. keep updated
5. never save passwds/pins etc on the machine
(if you really want/need to; try keepass/keepassX)
Here's another good firefox extension.
by your own admission...
I use LastPass (a FF plugin) and it's a Keeper.
Personally I'd never use a windows box for banking, I strictly stick to linux for that. I don't have flash or java (or any other plugin) installed, and I use a number of firefox addons to protect myself. The list includes:
- Request policy
- Adblock Plus
- Ref control
- Cookie Monster
- GreaseMonkey (+ some scripts)
- HTTPS Everywhere
Be sure to try out RequestPolicy 1.0.0 beta! It has some extra features that the regular one doesn't.
Then again it's true that you're the one to take caution not to visit malicious websites, accept email attachments from untrusted and/or suspicious sources, etc. A security system is only as strong as its weakest link. And the weakest link is in most cases the user himself.
When a banking site says that they "only support Windows," it has nothing to do with security, but it is a pretty good sign they have a lazy and incompetent IT team.
My bank supports only IE and Firefox and are upfront about not wanting to spend the labor to test and support other browsers (I don't like it, but that is a defensible position and I can respect it). Fortunately, their site works quite well in Firefox on Linux.
There are many reasons for banks being hacked that have more to do with bad practices. If you don't protect your system and update it and change passwords often to the longest offered, you may never be very secure.
MS secure is it?
2) How can a user claim they are better protected when they don't seem to understand the concept of patch Tuesday?
The millions of the mums and dads market all believe they better "secured" because they tick a box saying get security updates automatically
---when they won't get them except on a monthly basis.
end of rant
"saying of preferring windows over Linux for banking !!"-- I would only say its a very bad idea that can cause you a nightmare anytime.
when you say security for a Bank or a financial institution one would only recommend an operating system that is as robust, customisable and can provide different levels of security and guess what LINUX has it all.
I have a hardened box I use for critical things, including online banking. Much as I like Linux (and would prefer it for banking over Windows) it runs OpenBSD and nothing is enabled or installed that isn't absolutely needed.
Unfortuantely most banks compromise your security from the start. Some of the ways are as follows:
1) Using TLS 1 instead of at least 1.1
2) Those that require a specific browser or extensions
3) Those that recommend filtering connections through third parties (eg Trusteer - though some may disagree)
4) Low grade password hashing
Ask your bank about these and others if you want to be really informed about the risks.
From the standpoint of someone with little knowlege on Linux, I would say that maintaining a Windows box dedicated for banking is a very feasible option. Keep the OS updated, antivirus, not install non-banking software, etc. In short, don't use the box for something else.
The other option is to get yourself more familiar with Linux and everything it has to offer, thereby slowly building your confidence on it.
To be honest, I used Linux for banking ever since, and even though my security wasn't as tight as some on this thread, I never experienced problems.
Most trojans are aimed at Windows Systems, because most Linux users are very experienced professionals (and if not yet, trust me, you will become one. You are interested in it, that's why you will learn it quickly), whilst most Windows users are more like "the general population" - lack of even advanced knowledge, that is, at least in my home country. They don't notice whether a trojan horse is on the system. They don't know how to use tools to check the task manager. They don't care much about outdated systems and software. If it works, it works. If it's insecure - doesn't matter. If it's hacked - not my fault. Or is it?
Most Linux users on the other hand will recognize if something's odd with their computer - and they will react to it. Linux users are very good at resolving problems (When I started out, I spent weeks with only this. But I solved them) And if you gain experience and confidence, either on a VM or a Live-USB, you will get very good at this very quickly.
Still, being concious about security is a rare but highly important virtue, and I hear almost daily about new hacks. Companies and even banks in Germany don't do that much, and I even contacted a CEO of one to inform them about the security problems they had, and they were just like "We know. We will take care of it, if our board agrees and..."
The rest of the sentence actually was ignored by me, because I don't waste time listening to dumb excuses. They don't realize what it costs to be hacked.
Ending: You MUST secure every system you use for critical things like that (Usually, money is critical to everyone. Let's agree that banking is critical, OK?). No matter if it is Linux or Windows! You wouldn't believe how many insecure Linux boxes are around in the world, because they aren't updated, have weak passwords, allow unauthorized use of mail servers or the likes of it.
|All times are GMT -5. The time now is 03:15 AM.|